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DETAILED ACTION 

1. This action is responsive to the amendment filed on 7/19/06. Claims 1, 16-17, 25 
35, 50-51, 59, 69, 84-85 & 93 were amended. Claims 2-3, 27, 36-37, 61, 70-71 & 95 
were canceled. Claims 103-108 added. Claims 1, 4-26, 28-35, 38-60, 62-69, 72-94, 
96-108 are pending. Claims 1, 4-26, 28-35, 38-60, 62-69, 72-94, 96-108 represent 
method, apparatus, and computer readable medium for detecting and protecting against 
worm traffic on a network. 



Claim Rejections - 35 USC § 112 

2. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claim 1, 35 and 69 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. Its unclear to the examiner what does it 
means by stating "expected to receive smaller amounts of the communication traffic 
than other addresses in the group"? Why is that? Is there the purpose of identifying 
this particular subset as to receive smaller amounts of communication traffic? Why 
expecting that aspect? 
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Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

5. Claims 1, 4-11, 21-22, 25-26, 28-35, 38-45, 55-56, 59-60, 62-69, 72-79, 89-90, 
93-94, 96-103, 105 & 107 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Lyle Patent No. 6,886,102 B1 . Lyle teaches the invention as claimed including system 
and method for protecting a computer network against denial of service attacks (see 
abstract). 

6. As to claim 1, Lyle teaches a method for processing communication traffic, 
comprising: 

Identifying a subset of the group of the addresses such that the addresses in the 
subset are expected to receive smaller amounts of the communication traffic than other 
addresses in the group (figure 8; col 14, lines 56 - col 15, lines 30; Lyle discloses that 
the method of determined the baseline incident rate for the affected network by a 
prescribed amount. Lyle also discloses that the method of determined the baseline 
incident rate for the sub-network); 
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monitoring the communication traffic that is directed to the addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the method of monitoring the network 
connection to send and receive information via the network and other computers); 

determining respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the method of determined the baseline incident rate and the variance used for all 
networks); 

detecting a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the group, wherein the 
deviation is indicative that at least a portion of the communication traffic is of potentially 
malicious origin (col 10, lines 28-34; Lyle discloses that the method of detecting the 
network traffic for the suspicious high volume of network traffic and particular portion of 
the attacked); and 

responsively to detecting the deviation, filtering the communication traffic that is 
directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (col 14, lines 26-34; Lyle discloses 
that the method of analyzed the framework module takes the responsive action to 
determined to alert the network security administrator and to stop the malicious flow of 
network traffic). 

7. As to claim 4, Lyle teaches the method as recited in claim 1 , wherein the 
baseline characteristics comprise a distribution of communication protocols used in 
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generating the communication traffic (col 10, lines 19-28; Lyle discloses that the method 
of tracking the communication traffic using the sniffer module). 

8. As to claim 5, Lyle teaches the method as recited in claim 1 , wherein the 
baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; Lyle discloses that the method of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

9. As to claim 6, Lyle teaches the method as recited in claim 1 , wherein the 
baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the method of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

10. As to claim 7, Lyle teaches the method as recited in claim 1 , wherein the 
baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the method of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would identified as the possible attack). 

11. As to claim 8, Lyle teaches the method as recited in claim 1 , wherein the 
baseline characteristics are indicative of a distribution of operating systems running on 
computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the method of determined the system of receiving and sending packets). 
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12. As to claim 9, Lyle teaches the method as recited in claim 8, wherein detecting 
the deviation comprises reading a Time-To-Live (TTL) field in Internet Protocol headers 
of data packets sent to the addresses in the group, and detecting a change in values of 
the TTL field relative to the baseline characteristics (col 1 1 , lines 26-38). 

13. As to claim 10, Lyle teaches the method as recited in claim 1 , wherein detecting 
the deviation comprises detecting events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15 ; 
Lyle discloses that the method of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

14. As to claim 1 1 , Lyle teaches the method as recited in claim 10, wherein detecting 
the events comprises detecting failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

1 5. As to claim 21 , Lyle teaches the method as recited in claim 1 , wherein detecting 
the deviation comprises detecting a type of the communication traffic that appears to be 
of the malicious origin, and wherein monitoring the communication traffic comprises 
collecting specific information relating to the traffic of the detected type (col 4, lines 55- 
68; Lyle discloses that the method of monitoring the security of the computer network 
such as suspicious, malicious or virus packets). 

16. As to claim 22, Lyle teaches the method as recited in claim 21 , wherein collecting 
the specific information comprises determining one or more source addresses of the 
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traffic of the detected type (col 10, lines 38-43; Lyle discloses that the method of listing 
the list of suspicious source addresses). 

17. As to claim 25, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the method of monitoring the communication traffic of the network for sending and 
receiving packets); 

detecting a pattern in the traffic originating from at least one of the addresses that 
is indicative of a malicious program running on a computer at the at least one of the 
addresses by determining that the computer has transmitted packets to a large number 
of different destination addresses (col 10, lines 19-60; col 13, lines 9-21 & lines 38-55; 
Lyle discloses that the method of detecting the network pattern such as monitoring the 
rate at which the rate for that period of time exceeds by a prescribed amount the 
average event rate for that particular network or sub-network. Lyle also discloses that 
the method of detected the router ports if a particular ports is receiving an unusually 
high number of data packets of any type with a certain target destination or recipient 
address); and 

tracing a route of the traffic from the selected node back to the at least one of the 
addresses so as to identify a location of the computer on which the malicious program is 
running (col 6, lines 15-23; Lyle discloses that the method of tracking system of the 
protected area for the network elements). 
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18. As to claim 26, Lyle teaches the method as recited in claim 25, wherein tracing 
the route comprises identifying a port of a switch on the network to which the computer 
is connected, and comprising disabling the identified port (col 16, lines 54 - col 17, lines 
13; Lyle discloses that the method of tracking the port at which the attack was detected 
to identified the port at which the node through which packets or message associated 
with the attack entering that node). 

19. As to claim 28, Lyle teaches the method as recited in claim 25, wherein detecting 
the pattern comprises detecting a large number of packets transmitted by the computer 
to a specified port (col 12, lines 63 - col 13, lines 8; Lyle discloses that the method of 
detecting when the massive numbers of copies of a suspicious but relatively innocuous 
message in the hope of overloading the security system). 

20. As to claim 29, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect packets that 
are indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the method of monitoring the network 
traffic for the suspicious in the sense that it indicates that an attack may be taking 
place); 

detecting an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 10, lines 60 - col 11, lines 1; Lyle discloses that the method 
of determined if the rate of certain types of messages exceeds a normal level); and 
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responsively to the increase, filtering the communication traffic so as to remove 
at least a portion of the communication traffic that is generated by the worm infection 
(col 14, lines 26-34; Lyle discloses that the method of analyzed the framework module 
takes the responsive action to determined to alert the network security administrator 
and to stop the malicious flow of network traffic). 

21. As to claim 30, Lyle teaches the method as recited in claim 29, wherein 
monitoring the communication traffic comprises detecting Internet Control Message 
Protocol (ICMP) unreachable packets (col 9, lines 7-37). 

22. As to claim 31 , Lyle teaches the method as recited in claim 29, wherein 
monitoring the communication traffic comprises detecting failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 

23. As to claim 32, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the method of scanning the network for 
the suspicious data within the tracking system); 

making a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the method of determined the alert module for the potential 
attack); and 

responsively to the determination, filtering the communication traffic so as to 
remove at least the portion of the communication traffic that is generated by the worm 
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infection (col 14, lines 26-34; Lyle discloses that the method of analyzed the framework 
module takes the responsive action to determined to alert the network security 
administrator and to stop the malicious flow of network traffic). 

24. As to claim 33, Lyle teaches the method as recited in claim 32, wherein the 
packets comprise a header specifying a communication protocol, and wherein 
monitoring the communication traffic comprises determining that the packets contain 
data that are incompatible with the specified communication protocol (col 11, lines 61 - 
col 12, lines 19; Lyle discloses that the method of determined the incompatible packet 
by measure the numerical order of the packet). 

25. As to claim 34, Lyle teaches the method as recited in claim 32, wherein the 
packets comprise a header specifying a packet length, and wherein monitoring the 
communication traffic comprises determining that the packets contain an amount of data 
that is incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses 
that the method of suspicious packet by its bits). 

26. As to claim 35, Lyle teaches an apparatus comprising a guard device, which is 
adapted to 

Identify a selected subset of the group of the addresses such that the addresses 
in the subset are expected to receive smaller amounts of the communication traffic than 
other addresses in the group (figure 8; col 14, lines 56 - col 15, lines 30; Lyle discloses 
that the apparatus of determined the baseline incident rate for the affected network by a 
prescribed amount. Lyle also discloses that the apparatus of determined the baseline 
incident rate for the sub-network), 
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monitor the communication traffic that is directed to a group of addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the apparatus of monitoring the network 
connection to send and receive information via the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the apparatus of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset , wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyle discloses that the apparatus of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked), and 

responsively to detecting the deviation, to filter the communication traffic that is 
directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (col 14, lines 26-34; Lyle discloses 
that the apparatus of analyzed the framework module takes the responsive action to 
determined to alert the network security administrator and to stop the malicious flow of 
network traffic). 

27. As to claim 38, Lyle teaches the apparatus as recited in claim 35, wherein the 
baseline characteristics comprise a distribution of communication protocols used in 
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generating the communication traffic (col 10, lines 19-28; Lyle discloses that the 
apparatus of tracking the communication traffic using the sniffer module). 

28. As to claim 39, Lyle teaches the apparatus as recited in claim 35, wherein the 
baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; Lyle discloses that the apparatus of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

29. As to claim 40, Lyle teaches the apparatus as recited in claim 35, wherein the 
baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the apparatus of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

30. As to claim 41 , Lyle teaches the apparatus as recited in claim 35, wherein the 
baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the apparatus of 
detecting the particular port for receiving an usually high number of data packets of any 
type, the sniffer module would identified as the possible attack). 

31. As to claim 42, Lyle teaches the apparatus as recited in claim 35, wherein the 
baseline characteristics are indicative of a distribution of operating systems running on 
computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the apparatus of determined the system of receiving and sending 
packets). 
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32. As to claim 43, Lyle teaches the apparatus as recited in claim 42, wherein the 
guard device is adapted to read a Time-To-Live (TTL) field in Internet Protocol headers 
of data packets sent to the addresses in the group, and to detect a change in values of 
the TTL field relative to the baseline characteristics due to the distribution of the 
operating systems (col 1 1 , lines 26-38). 

33. As to claim 44, Lyle teaches the apparatus as recited in claim 35, wherein the 
guard device is adapted to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15 ; 
Lyle discloses that the apparatus of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

34. As to claim 45, Lyle teaches the apparatus as recited in claim 44, wherein the 
events comprise failures to establish a Transmission Control Protocol (TCP) connection 
(col 22, lines 25-43). 

35. As to claim 55, Lyle teaches the apparatus as recited in claim 35, wherein the 
guard device is adapted to detect a type of the communication traffic that appears to be 
of the malicious origin, and to monitor the communication traffic so as to collect specific 
information relating to the traffic of the detected type (col 4, lines 55-68; Lyle discloses 
that the apparatus of monitoring the security of the computer network such as 
suspicious, malicious or virus packets). 

36. As to claim 56, Lyle teaches the apparatus as recited in claim 55, wherein the 
specific information comprises one or more source addresses of the traffic of the 
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detected type (col 10, lines 38-43; Lyle discloses that the apparatus of listing the list of 
suspicious source addresses). 

37. As to claim 59, Lyle teaches an apparatus comprising: 

monitor the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the apparatus of monitoring the communication traffic of the network for sending and 
receiving packets), 

to detect a pattern in the traffic originating from at least one of the addresses that 
is indicative of a malicious program running on a computer at the at least one of the 
addresses by determining that the computer has transmitted packets to a large number 
of different destination addresses (col 10, lines 19-60; col 13, lines 9-21 & lines 38-55; 
Lyle also discloses that the apparatus of detected the router ports if a particular ports is 
receiving an unusually high number of data packets of any type with a certain target 
destination or recipient address. Lyle also discloses that the apparatus of detecting the 
network pattern such as monitoring the rate at which the rate for that period of time 
exceeds by a prescribed amount the average event rate for that particular network or 
sub-network), and 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
program is running (col 6, lines 15-23; Lyle discloses that the apparatus of tracking 
system of the protected area for the network elements). 
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38. As to claim 60, Lyle teaches the apparatus as recited in claim 59, wherein the 
guard device is adapted to identify a port of a switch on the network to which the 
computer is connected, and to instruct the switch to disable the identified port (col 16, 
lines 54 - col 17, lines 13; Lyle discloses that the apparatus of tracking the port at which 
the attack was detected to identified the port at which the node through which packets 
or message associated with the attack entering that node). 

39. As to claim 62, Lyle teaches the apparatus as recited in claim 59, wherein the 
guard device is adapted to detect the pattern by detecting a large number of packets 
transmitted by the computer to a specified port (col 12, lines 63 - col 13, lines 8; Lyle 
discloses that the apparatus of detecting when the massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security 
system). 

40. As to claim 63, Lyle teaches an apparatus comprising: 

monitor the communication traffic on a network so as to detect packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the apparatus of monitoring the 
network traffic for the suspicious in the sense that it indicates that an attack may be 
taking place), 

to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the 
apparatus of determined if the rate of certain types of messages exceeds a normal 
level), and 
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responsively to the increase, to filter the communication traffic so as to remove at 
least a portion of the communication traffic that is generated by the worm infection (col 
14, lines 26-34; Lyle discloses that the apparatus of analyzed the framework module 
takes the responsive action to determined to alert the network security administrator 
and to stop the malicious flow of network traffic). 

41 . As to claim 64, Lyle teaches the apparatus as recited in claim 63, wherein the 
guard device is adapted to detect Internet Control Message Protocol (ICMP) 
unreachable packets as an indication of the communication failure (col 9, lines 7-37). 

42. As to claim 65, Lyle teaches the apparatus as recited in claim 63, wherein the 
guard device is adapted to detect failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

43. As to claim 66, Lyle teaches an apparatus comprising a guard device, which is 
adapted: 

to monitor the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the apparatus of scanning the network for 
the suspicious data within the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the apparatus of determined the alert module for the potential 
attack), and 

responsively to the determination, to filter the communication traffic so as to 
remove the at least the portion of the communication traffic that is generated by the 
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worm infection (col 14, lines 26-34; Lyle discloses that the apparatus of analyzed the 
framework module takes the responsive action to determined to alert the network 
security administrator and to stop the malicious flow of network traffic). 

44. As to claim 67, Lyle teaches the apparatus as recited in claim 66, wherein the 
packets comprise a header specifying a communication protocol, and wherein the guard 
device is adapted to detect that the packets contain data that are incompatible with the 
specified communication protocol (col 11, lines 61 - col 12, lines 19; Lyle discloses that 
the apparatus of determined the incompatible packet by measure the numerical order of 
the packet). 

45. As to claim 68, Lyle teaches the apparatus as recited in claim 66, wherein the 
packets comprise a header specifying a packet length, and wherein the guard device is 
adapted to detect that the packets contain an amount of data that is incompatible with 
the specified packet length (col 18, lines 48-59; Lyle discloses that the apparatus of 
suspicious packet by its bits). 

46. As to claim 69, Lyle teaches a computer software product, comprising: 

47. to identify a selected subset of the group of the addresses such that the 
addresses in the subset are expected to receive smaller amounts of the communication 
traffic than other addresses in the group (figure 8; col 14, lines 56 - col 15, lines 30; 
Lyle discloses that the product of determined the baseline incident rate for the affected 
network by a prescribed amount. Lyle also discloses that the product of determined the 
baseline incident rate for the sub-network), 
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a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor communication 
traffic that is directed the addresses in the subset (col 5, lines 12-17; Lyle discloses that 
the product of monitoring the network connection to send and receive information via 
the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the product of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset , wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyle discloses that the product of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked), and 

responsively to detecting the deviation, to filter the communication traffic that is 
directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (col 14, lines 26-34; Lyle discloses 
that the product of analyzed the framework module takes the responsive action to 
determined to alert the network security administrator and to stop the malicious flow of 
network traffic). 



Application/Control Number: 10/774,169 Page 19 

Art Unit: 2155 

48. As to claim 72, Lyle teaches the product as recited in claim 69, wherein the 
baseline characteristics comprise a distribution of communication protocols used in 
generating the communication traffic (col 10, lines 19-28; Lyle discloses that the product 
of tracking the communication traffic using the sniffer module). 

49. As to claim 73, Lyle teaches the product as recited in claim 69, wherein the 
baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; Lyle discloses that the product of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

50. As to claim 74, Lyle teaches the product as recited in claim 69, wherein the 
baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the product of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

51 . As to claim 75, Lyle teaches the product as recited in claim 69, wherein the 
baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the product of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would identified as the possible attack). 

52. As to claim 76, Lyle teaches the product as recited in claim 69, wherein the 
baseline characteristics are indicative of a distribution of operating systems running on 
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computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the product of determined the system of receiving and sending packets). 

53. As to claim 77, Lyle teaches the product as recited in claim 76, wherein 
instructions cause the computer to read a Time-To-Live (TTL) field in Internet Protocol 
headers of data packets sent to the addresses in the group, and to detect a change in 
values of the TTL field relative to the baseline characteristics due to the distribution of 
the operating systems (col 11, lines 26-38). 

54. As to claim 78, Lyle teaches the product as recited in claim 69, wherein the 
instructions cause the computer to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15 ; 
Lyle discloses that the product of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

55. As to claim 79, Lyle teaches the product as recited in claim 78, wherein the 
events comprise failures to establish a Transmission Control Protocol (TCP) connection 
(col 22, lines 25-43). 

56. As to claim 89, Lyle teaches the product as recited in claim 69, wherein the 
instructions cause the computer to detect a type of the communication traffic that 
appears to be of the malicious origin, and to monitor the communication traffic so as to 
collect specific information relating to the traffic of the detected type (col 4, lines 55-68; 
Lyle discloses that the product of monitoring the security of the computer network such 
as suspicious, malicious or virus packets). 
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57. As to claim 90, Lyle teaches the product as recited in claim 89, wherein the 
specific information comprises one or more source addresses of the traffic of the 
detected type (col 10, lines 38-43; Lyle discloses that the product of listing the list of 
suspicious source addresses). 

58. As to claim 93, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic originating from a group of addresses and passing through a 
selected node on a network (col 12, lines 44-53; Lyle discloses that the product of 
monitoring the communication traffic of the network for sending and receiving packets), 

to detect a pattern in the traffic originating from at least one of the addresses that 
is indicative of a malicious program running on a computer at the at least one of the 
addresses by determining that the computer has transmitted packets to a large number 
of different destination addresses (col 10, lines 19-60; col 13, lines 9-21& lines 38-55; 
Lyle also discloses that the product of detected the router ports if a particular ports is 
receiving an unusually high number of data packets of any type with a certain target 
destination or recipient address. Lyle also discloses that the product of detecting the 
network pattern such as monitoring the rate at which the rate for that period of time 
exceeds by a prescribed amount the average event rate for that particular network or 
sub-network), and 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
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program is running (col 6, lines 15-23; Lyle discloses that the product of tracking system 
of the protected area for the network elements). 

59. As to claim 94, Lyle teaches the product as recited in claim 93, wherein the 
instructions cause the computer to identify a port of a switch on the network to which the 
computer is connected, and to instruct the switch to disable the identified port (col 16, 
lines 54 - col 17, lines 13; Lyle discloses that the product of tracking the port at which 
the attack was detected to identified the port at which the node through which packets 
or message associated with the attack entering that node). 

60. As to claim 96, Lyle teaches the product as recited in claim 93, wherein the 
instructions cause the computer to detect the pattern by detecting a large number of 
packets transmitted. by the computer to a specified port (col 12, lines 63 - col 13, lines 
8; Lyle discloses that the product of detecting when the massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security 
system). 

61. As to claim 97, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect packets that are indicative of a 
communication failure in the network that is characteristic of a worm infection (col 10, 
lines 53-59; Lyle discloses that the product of monitoring the network traffic for the 
suspicious in the sense that it indicates that an attack may be taking place), 
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to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 10, lines 60 - col 11, lines 1; Lyle discloses that the product 
of determined if the rate of certain types of messages exceeds a normal level), and 

responsively to the increase, to filter the communication traffic so as to remove at 
least a portion of the communication traffic that is generated by the worm infection (col 
14, lines 26-34; Lyle discloses that the product of analyzed the framework module takes 
the responsive action to determined to alert the network security administrator and to 
stop the malicious flow of network traffic). 

62. As to claim 98, Lyle teaches the product as recited in claim 97, wherein the 
instructions cause the computer to detect Internet Control Message Protocol (ICMP) 
unreachable packets as an indication of the communication failure (col 9, lines 7-37). 

63. As to claim 99, Lyle teaches the product as recited in claim 97, wherein the 
instructions cause the computer to detect failures to establish a Transmission Control 
Protocol (TCP) connection (col 22, lines 25-43). 

64. As to claim 100, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect ill-formed packets (col 7, lines 9-19; 
Lyle discloses that the product of scanning the network for the suspicious data within 
the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
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26-39; Lyle discloses that the product of determined the alert module for the potential 
attack), and 

responsively to the determination, to filter the communication traffic so as to 
remove the at least the portion of the communication traffic that is generated by the 
worm infection (col 14, lines 26-34; Lyle discloses that the product of analyzed the 
framework module takes the responsive action to determined to alert the network 
security administrator and to stop the malicious flow of network traffic). 

65. As to claim 101, Lyle teaches the product as recited in claim 100, wherein the 
packets comprise a header specifying a communication protocol, and wherein the 
instructions cause the computer to detect that the packets contain data that are 
incompatible with the specified communication protocol (col 11, lines 61 - col 12, lines 
19; Lyle discloses that the product of determined the incompatible packet by measure 
the numerical order of the packet). 

66. As to claim 102, Lyle teaches the product as recited in claim 100, wherein the 
packets comprise a header specifying a packet length, and wherein the instructions 
cause the computer to detect that the packets contain an amount of data that is 
incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses that the 
product of suspicious packet by its bits). 

67. As to claim 103, Lyle teaches the method as recited in claim 1, wherein 
identifying the subset comprising selecting clients for inclusion in the subset wile 
excluding servers (figure 1; Lyle teaches the method of including the users in the subset 
for the edge router)^ 
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68, As to claim 105, Lyle teaches the apparatus as recited in claim 35, wherein the 
subset includes clients while excluding servers (figure 1; Lyle teaches the apparatus of 
including the users in the subset for the edge router)^ 

69. As to claim 107, Lyle teaches the product as recited in claim 69, wherein the 
subset includes clients while excluding servers (figure 1; Lyle teaches the product of 
including the users in the subset for the edge router). 



Claim Rejections - 35 USC § 103 

70. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

71. Claims 12-13, 46-47, and 80-81 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lyle, Patent No. 6,886,102 B1 in view of Porras, Patent No. 
6,321,338 B1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

72. As to claim 12, Lyle teaches the method as recited in claim 1 . But Lyle fails to 
teach the claim limitation wherein receiving packets that are indicative of a 
communication failure in the network that is characteristic of a worm infection, and 
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wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches network surveillance (see abstract). Porras teaches 
the limitation wherein receiving packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, and wherein filtering the 
communication traffic comprises deciding to filter the communication traffic responsively 
to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that the engine could filter out the 
unwanted packets. One would be motivated to do so to prevent the potential attack and 
ensure the liability of the network. 

73. As to claim 13, Lyle teaches the method as recited in claim 12. But Lyle fails to 
teach the claim limitation wherein receiving the packets comprises receiving Internet 
Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein receiving the packets comprises 
receiving Internet Control Message Protocol (ICMP) unreachable packets (col 5, lines 4- 
29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that filtering out the ICMP packets, which 
reach the gateway. One would be motivated to do so to ensure the ill-formed packet 
will not travel into the network. 
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74. As to claim 46, Lyle teaches the apparatus as recited in claim 35. But Lyle fails 
to teach the claim limitation wherein the guard device is adapted to receive packets that 
are indicative of a communication failure in the network that is characteristic of a worm 
infection, and to decide to filter the communication traffic responsively to receiving the 
packets. 

However, Porras teaches the limitation wherein the guard device is adapted to 
receive packets that are indicative of a communication failure in the network that is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that the engine could filter out the 
unwanted packets. One would be motivated to do so to prevent the potential attack and 
ensure the liability of the network. 

75. As to claim 47, Lyle teaches the apparatus as recited in claim 46. But Lyle fails 
to teach the claim limitation wherein the packets comprise Internet Control Message 
Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that filtering out the ICMP packets, which 
reach the gateway. One would be motivated to do so to ensure the ill-formed packet 
will not travel into the network. 
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76. As to claim 80, Lyle teaches the product as recited in claim 69. But Lyle fails to 
teach the claim limitation wherein the instructions cause the computer to receive 
packets that are indicative of a communication failure in the network that is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets. 

However, Porras teaches the limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that the engine could filter out the 
unwanted packets. One would be motivated to do so to prevent the potential attack and 
ensure the liability of the network. 

77. As to claim 81 , Lyle teaches the product as recited in claim 80. But Lyle fails to 
teach the claim limitation wherein the packets comprise Internet Control Message 
Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Porras so that filtering out the ICMP packets, which 
reach the gateway. One would be motivated to do so to ensure the ill-formed packet 
will not travel into the network. 
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78. Claims 14-20, 23-24, 48-54, 57-58, 82-88, and 91-92 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Lyle, Patent No. 6,886,102 B1 in view of 
Trcka, Patent No. 2001/0039579 A1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attack (see abstract). 

79. As to claim 14, Lyle teaches the method as recited in claim 1 . But Lyle fails to 
teach the claim limitation wherein monitoring the communication traffic comprises 
making a determination that one or more packets transmitted over the network are ill- 
formed, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed packets. 

However, Trcka teaches network security and surveillance system (see abstract). 
Trcka teaches the limitation wherein monitoring the communication traffic comprises 
making a determination that one or more packets transmitted over the network are ill- ' 
formed, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system would filter out the malicious 
packet. One would be motivated to do so to ensure the safety of the network form the 
virus and hacker. 

80. As to claim 15, Lyle teaches the method as recited in claim 1. But Lyle fails to 
teach the claim limitation wherein detecting the deviation comprises incrementing a 
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count of events that are indicative of the malicious origin of the communication traffic, 
and deciding whether to filter the communication traffic responsively to the count. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
incrementing a count of events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system could enabling/disabling 
packet filtering. One would be motivated to do so to records the data-link level traffic 
without interfering with the normal flow of traffic. 

81. As to claim 16, Lyle teaches the method as recited in claim 15, wherein detecting 
the deviation comprises receiving data packets of potentially malicious origin, each data 
packet having a respective source address and destination address, and wherein 
incrementing the count comprises determining an amount by which to increment the 
count responsively to a given data packet depending upon whether among the data 
packets received previously, responsively to which the count was incremented, at least 
one data packet had the same respective source address and at least one data packet 
had the same respective destination address as the given data packet (col 7, lines 38- 
49; col 19, lines 51 - col 20, lines 23; Lyle discloses that the method of identified the 
messages related to a known or suspected attack or possibility that an attack is taking 
place). 
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82. As to claim 17, Lyle teaches the method as recited in claim 16, wherein 
determining the amount by which to increment the count comprises incrementing the 
count only if none of the data packets received previously, responsively to which the 
count was incremented, had at least one of the same respective source address and 
the same respective destination address as the given data packet (col 15, lines 48 - col 
16, lines 6; Lyle discloses that the method of tracking back to the point of attack at 
which the attack entered the network or sub-network). 

83. As to claim 18, Lyle teaches the method as recited in claim 1 . But Lyle fails to 
teach the claim limitation wherein detecting the deviation comprises detecting a type of 
the communication traffic that appears to be of the malicious origin, and wherein filtering 
the communication traffic comprises intercepting the communication traffic of the 
detected type. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
detecting a type of the communication traffic that appears to be of the malicious origin, 
and wherein filtering the communication traffic comprises intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet. One 
would be motivated to do so to ensure the safety of the network. 

84. As to claim 19, Lyle teaches the method as recited in claim 18, wherein detecting 
the type comprises determining at least one of a communication protocol and a port that 
is characteristic of the communication traffic (col 5, lines 34-44; Lyle discloses that the 
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method of managing the exchange of information between network elements located at 
different physical locations via external connections such as an Internet connection). 

85. As to claim 20, Lyle teaches the method as recited in claim 18, wherein detecting 
the type comprises determining one or more source addresses of the communication 
traffic that appears to be of the malicious origin, and intercepting the communication 
traffic sent from the one or more source addresses (col 16, lines 44-49; Lyle discloses 
that the method of tracking the source of an attack to determine the point of attack at 
which it is entering the network or sub-network). 

86. As to claim 23, Lyle teaches the method as recited in claim 1 . But Lyle fails to 
teach the claim limitation wherein monitoring and filtering the communication traffic 
comprise monitoring and filtering the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein monitoring and filtering the 
communication traffic comprise monitoring and filtering the communication traffic that is 
transmitted into a protected area of the network containing the group of the addresses 
so as to exclude the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet, which 
tries to enter through the protected area. One would be motivated to do so to improve 
the network security. 
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87. As to claim 24, Lyle teaches the method as recited in claim 23, and comprising 
monitoring the communication traffic that is transmitted by computers in the protected 
area so as to detect an infection of one or more of the computers by a malicious 
program (col 10, lines 35-38; Lyle discloses that the method of tracking the system 
interconnect across the network, such as a private network which is a protected area). 

88. As to claim 48, Lyle teaches the apparatus as recited in claim 35. But Lyle fails 
to teach the claim limitation wherein the guard device is adapted to make a 
determination that one or more packets transmitted over the network are ill-formed, and 
to decide to filter the communication traffic responsively to the ill-formed packets. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
make a determination that one or more packets transmitted over the network are ill- 
formed, and to decide to filter the communication traffic responsively to the ill-formed 
packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system would filter out the malicious 
packet. One would be motivated to do so to ensure the safety of the network form the 
virus and hacker. 

89. As to claim 49, Lyle teaches the apparatus as recited in claim 35. But Lyle fails 
to teach the claim limitation wherein the guard device is adapted to increment a count of 
events that are indicative of the malicious origin of the communication traffic, and to 
decide whether to filter the communication traffic responsively to the count. 
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However, Trcka teaches the limitation wherein the guard device is adapted to 
increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system could enabling/disabling 
packet filtering. One would be motivated to do so to records the data-link level traffic 
without interfering with the normal flow of traffic. 

90. As to claim 50, Lyle teaches the apparatus as recited in claim 49, wherein the 
guard device is coupled to receive data packets of potentially malicious origin, each 
data packet having a respective source address and destination address, and is 
adapted to determine an amount by which to increment the count responsively to a 
given data packet depending upon whether among the data packets received 
previously, responsively to which the count was incremented, at least one data packet 
had the same respective source address and at least one data packet had the same 
respective destination address as the given data packet (col 7, lines 38-49; col 19, lines 
51 - col 20, lines 23; Lyle discloses that the apparatus of identified the messages • 
related to a known or suspected attack or possibility that an attack is taking place). 

91. As to claim 51 , Lyle teaches the apparatus as recited in claim 40, wherein the 
guard device is adapted to increment the count only if none of the data packets received 
previously, responsively to which the count was incremented, had at least one of the 
same respective source address and the same respective destination address as the 
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given data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that the apparatus of 
tracking back to the point of attack at which the attack entered the network or sub- 
network). 

92. As to claim 52, Lyle teaches the apparatus as recited in claim 35. But Lyle fails 
to teach the claim limitation wherein the guard device is adapted to detect a type of the 
communication traffic that appears to be of the malicious origin, and to filter the 
communication traffic by intercepting the communication traffic of the detected type. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
detect a type of the communication traffic that appears to be of the malicious origin, and 
to filter the communication traffic by intercepting the communication traffic of the 
detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet. One 
would be motivated to do so to ensure the safety of the network. 

93. As to claim 53, Lyle teaches the apparatus as recited in claim 52, wherein the 
type of the communication traffic that appears to be of the malicious origin is 
characterized by at least one of a communication protocol and a port (col 5, lines 34-44; 
Lyle discloses that the apparatus of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

94. As to claim 54, Lyle teaches the apparatus as recited in claim 52, wherein the 
guard device is adapted to determine one or more source addresses of the 
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communication traffic that appears to be of the malicious origin, and to intercept the 
communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyle discloses that the apparatus of tracking the source of an attack to determine the 
point of attack at which it is entering the network or sub-network). 

95. As to claim 57, Lyle teaches the apparatus as recited in claim 35. But Lyle fails 
to teach the claim limitation wherein the guard device is adapted to monitor and filter the 
communication traffic that is transmitted into a protected area of the network containing 
the group of the addresses so as to exclude the communication traffic from the area. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
monitor and filter the communication traffic that is transmitted into a protected area of 
the network containing the group of the addresses so as to exclude the communication 
traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet, which 
tries to enter through the protected area. One would be motivated to do so to improve 
the network security. 

96. As to claim 58, Lyle teaches the apparatus as recited in claim 57, wherein the 
guard device is adapted to monitor the communication traffic that is transmitted by 
computers in the protected area so as to detect an infection of one or more of the 
computers by a malicious program (col 10, lines 35-38; Lyle discloses that the 
apparatus of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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97. As to claim 82, Lyle teaches the product as recited in claim 69. But Lyle fails to 
teach the claim limitation wherein the instructions cause the computer to make a 
determination that one or more packets transmitted over the network are ill-formed, and 
to decide to filter the communication traffic responsively to the ill-formed packets. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system would filter out the malicious 
packet. One would be motivated to do so to ensure the safety of the network form the 
virus and hacker. 

98. As to claim 83, Lyle teaches the product as recited in claim 69. But Lyle fails to 
teach the claim limitation wherein the instructions cause the computer to increment a 
count of events that are indicative of the malicious origin of the communication traffic, 
and to decide whether to filter the communication traffic responsively to the count. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that the system could enabling/disabling 



Application/Control Number: 10/774,169 Page 38 

Art Unit: 2155 

packet filtering. One would be motivated to do so to records the data-link level traffic 
without interfering with the normal flow of traffic. 

99. As to claim 84, Lyle teaches the product as recited in claim 83, wherein when the 
computer is coupled to receive data packets of potentially malicious origin, each data 
packet having a respective source address and destination address, the instructions 
cause the computer to determine an amount by which to increment the count 
responsively to a given data packet depending upon whether among the data packets 
received previously, responsively to which the count was incremented, at least one data 
packet had the same respective source address and at least one data packet had the 
same respective destination address as the given data packet (col 7, lines 38-49; col 
19, lines 51 - col 20, lines 23; Lyle discloses that the product of identified the messages 
related to a known or suspected attack or possibility that an attack is taking place). 

100. As to claim 85, Lyle teaches the product as recited in claim 84, wherein the 
instructions cause the computer to increment the count only if none of the data packets 
received previously, responsively to which the count was incremented, had at least one 
of the same respective source address and the same respective destination address as 
the given data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that the product 
of tracking back to the point of attack at which the attack entered the network or sub- 
network). 

101. As to claim 86, Lyle teaches the product as recited in claim 69. But Lyle fails to 
teach the claim limitation wherein the instructions cause the computer to detect a type 
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of the communication traffic that appears to be of the malicious origin, and to filter the 
communication traffic by intercepting the communication traffic of the detected type. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet. One 
would be motivated to do so to ensure the safety of the network. 

102. As to claim 87, Lyle teaches the product as recited in claim 86, wherein the type 
of the communication traffic that appears to be of the malicious origin is characterized 
by at least one of a communication protocol and a port (col 5, lines 34-44; Lyle 
discloses that the product of managing the exchange of information between network 
elements located at different physical locations via external connections such as an 
Internet connection). 

103. As to claim 88, Lyle teaches the product as recited in claim 86, wherein the 
instructions cause the computer to determine one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and to intercept the 
communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyle discloses that the product of tracking the source of an attack to determine the point 
of attack at which it is entering the network or sub-network). 
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104. As to claim 91 , Lyle teaches the product as recited in claim 69. But Lyle fails to 
teach the claim limitation wherein the instructions cause the computer to monitor and 
filter the communication traffic that is transmitted into a protected area of the network 
containing the group of the addresses so as to exclude the communication traffic from 
the area. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Trcka so that filtering the suspicious packet, which 
tries to enter through the protected area. One would be motivated to do so to improve 
the network security. 

105. As to claim 92, Lyle teaches the product as recited in claim 91, wherein the 
instructions cause the computer to monitor the communication traffic that is transmitted 
by computers in the protected area so as to detect an infection of one or more of the 
computers by a malicious program (col 10, lines 35-38; Lyle discloses that the product 
of tracking the system interconnect across the network, such as a private network which 
is a protected area). 
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Claims 104, 106 & 108 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Lyle, Patent No, 6,886,102 B1 in view of Bartleson, Patent No. 6,934,857 B1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

106. As to claim 104, Lyle teaches the method as recited in claim 1 . But Lyle failed to 
teach the claim limitation wherein identifying the subset comprises selecting trap 
addresses that are not used by actual computers for inclusion in the subset. 

However, Bartleson teaches security system and method for handheld 
computers (see abstract). Bartleson teaches the limitation wherein identifying the 
subset comprises selecting trap addresses that are not used by actual computers for 
inclusion in the subset (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Bartleson so that the patch are loaded in the 
operating system when the security system is enabled. One would be motivated to do 
so to created the trap address from the original address to replace with the new patch to 
transferred the information to the trap address once the virus or malicious packets got 
detected. 

107. As to claim 106, Lyle teaches the apparatus as recited in claim 35 . But Lyle 
failed to teach the claim limitation wherein the subset includes trap addresses that are 
not used by actual computers. 

However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Bartleson so that the patch are loaded in the 
operating system when the security system is enabled. One would be motivated to do 
so to created the trap address from the original address to replace with the new patch to 
transferred the information to the trap address once the virus or malicious packets got 
detected. 

108. As to claim 108, Lyle teaches the product as recited in claim 69 . But Lyle failed 
to teach the claim limitation wherein the subset includes trap addresses that are not 
used by actual computers. 

However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Bartleson so that the patch are loaded in the 
operating system when the security system is enabled. One would be motivated to do 
so to created the trap address from the original address to replace with the new patch to 
transferred the information to the trap address once the virus or malicious packets got 
detected. 



Response to Arguments 

Applicant's arguments filed 7/19/06 have been fully considered but they are not 
persuasive. In response to Applicants argument, the Patent Office maintains the 
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rejection. In the remarks, the applicant argues in substance that; A) Lyle failed to 
disclose or suggest of communication failures or how they should be handled, and does 
not even hint that packets indicative of such failures could be used in filtering worm- 
generated traffic; B) Lyle failed to relate in any way to whether packets are well formed 
or ill formed, and certainly does not suggest that detection of ill-formed packets might be 
used in determining that a worm infection has occurred. 

In response to A); Applicants argue that Lyle does not teach of communication 
failures or how they should be handled, and does not even hint that packets indicative 
of such failures could be used in filtering worm-generated traffic. In response to 
Applicant's argument, the Patent Office maintain the rejection because Lyle does teach 
of communication failures or how they should be handled, and does not even hint that 
packets indicative of such failures could be used in filtering worm-generated traffic (col 
14, lines 26-34; Lyle discloses that the method of analyzed the framework module takes 
the responsive action to determined to alert the network security administrator and to 
stop the malicious flow of network traffic). Lyle discloses that the method of stopping 
the malicious flow of network traffic or sending an alert or email message to a network 
security administrator. 

In response to B); Applicants argue that Lyle does not teach whether packets are 
well formed or ill formed, and certainly does not suggest that detection of ill-formed 
packets might be used in determining that a worm infection has occurred. In response 
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to Applicant's argument, the Patent Office maintain the rejection because Lyle does 
teach whether packets are well formed or ill formed, and certainly does not suggest that 
detection of ill-formed packets might be used in determining that a worm infection has 
occurred (col 7, lines 10-19; col 8, lines 26-39; col 10, lines 15-35; Lyle discloses that 
the method of determined the alert module for the potential attack). Lyle discloses that 
the method of search or determined the suspicious data or suspected an attack, which 
the same as determined the ill formed packets or worm infection has occurred. 



Contact Information 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thuong (Tina) Nguyen whose telephone number is 571- 
272-3864, and the fax number is 571-273-3864. The examiner can normally be 
reached on 8:00 AM-5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Thuong (Tina) Nguyen 
Patent Examiner/Art Unit 2155 
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